Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation.

Is there a way to pivot to the event details including time stamp?

Sophos User2229

Parents

Sophos User2229 over 2 years ago

Hello Kushal, Fields time and datetime added to the query (one at a time). The field "datetime" returns "Column 'datetime' cannot be resolved'". The field "time" returns no data (the field is blank for all events). Thank you for your assistance but we don't want to continue on this topic anymore.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Sophos User2229 over 2 years ago

Hello Kushal, Fields time and datetime added to the query (one at a time). The field "datetime" returns "Column 'datetime' cannot be resolved'". The field "time" returns no data (the field is blank for all events). Thank you for your assistance but we don't want to continue on this topic anymore.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

No Data

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Sophos Central Live Discover "User account locked out" query missing timestamps